WordPress 4.7.1 and prior versions are affected by multiple vulnerabilities. A remote attacker could exploit some of these vulnerabilities to take control of an affected website.
WordPress versions 4.7.1 and earlier are affected by four issues:
WP_Queryis vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plug-ins and themes from accidentally causing a vulnerability.
On February 1, WordPress disclosed an additional vulnerability that is fixed in version 4.7.2.
TechCERT encourages users and administrators to review the WordPress Security Release and upgrade to WordPress 4.7.2.